The xz software package has been compromised by what appears to be a long and well-planned operation.

Assuming the perpetrator has the nation state resources behind them, which country is ultimately responsible? This includes all the intelligence agencies working for that country.

Please request new countries in comments; I'm willing to consider options for specific non-nation state operators if you have a good argument for it (so "Organized crime" as such won't do, but "OPEC" would)

If this turns out to be the work of a single or few talented individuals, resolves N/A.

I may bet in this market.

See also https://manifold.markets/retr0id/will-the-authors-of-the-xzutils-bac for an alternate view and more background.